With cyber security becoming a growing concern for organisations and individuals, you may have come across the concept of MITM (man-in-the-middle) attacks.
This blog explains everything you need to know about this attack vector, including how they work, when you’re vulnerable to them and what you should do to stay safe.
What is a man-in-the-middle attack?
MITM attacks exploit how data is shared between a website and a user’s device – whether that’s their computer, phone or tablet.
When you visit a website, your device sends an instruction through an Internet router, which is then directed to the website’s server.
The server acknowledges and completes the instruction, sending the information back to the user’s device through the router.
This process happens so quickly that many of us don’t acknowledge how complex it is – and that’s what allows MITM attackers to strike.
Using several techniques (which we explain below), attackers compromise the router, allowing them to intercept data in real-time as it flows between the victim’s computer and the server.
This enables them to eavesdrop on what’s being shared and, in some cases, modify the interactions. That includes the ability to redirect users to a different website or spoof the destination web address.
How MITM attacks work
Attacks are most likely to occur on public Wi-Fi because Internet connections are generally less secure than home routers.
That’s not so much a security weakness as it is part of its design. Public Wi-Fi is intended for anyone in the vicinity to use.
Naturally, it will be less secure than your home or office network, which contains protections that ensure only authorised people can connect.
But how do criminals get in the middle?
The first step is to compromise the Internet router, which they can do with tools that scan for unpatched flaws or other vulnerabilities.
Next, they intercept and decrypt the victim’s transmitted data using various techniques.
A basic method is sniffing, in which attackers deploy tools that inspect packets – units of data that are transferred over a network. These can intercept unencrypted information, such as passwords and usernames.
Attackers might also perform packet injection, in which malicious packets are inserted into data communication streams to disrupt victims’ ability to use certain network services or protocols.
A similar version of this attack is session hijacking (or cookie hijacking). The criminal sniffs sensitive traffic to identify the victim’s session token.
With that information, the attacker uses source-routed IP packets to intercept data as it’s being transferred from the victim’s computer to the server and make requests as though they were the user.
Finally, cyber criminals attempting to intercept traffic from an HTTPS website might conduct an SSL stripping attack. This involves intercepting packets and altering their address to direct the victim to the less secure HTTP equivalent.
HTTP pages don’t encrypt information as it’s being shared, meaning the attacker can sniff information and perform packet injection.
Types of MITM attack
MITM attacks can take many forms, but these are some of the most common:
- IP spoofing
Every device that connects to the Internet does so through an IP address, which is a number assigned to your device based on your physical location.
By spoofing an IP address, criminal hackers can trick you into believing you’re interacting with the website or person you tried to reach.
- ARP spoofing
ARP (Address Resolution Protocol) is the process that enables network communications to reach a specific device on the network. It does this by translating an IP address to an MAC (Media Access Control) address and vice versa.
Attackers can manipulate this process by linking their MAC address with their target’s IP address by using fake ARP messages.
As a result, any data sent by the user to the host IP address is instead directed to the attacker.
- DNS spoofing
This attack method, also known as DNS cache poisoning, uses modified DNS (Domain Name Server) records to send traffic to a fraudulent website.
Those websites typically resemble the real site, meaning visitors are unlikely to spot the misdirect. The site then asks them to provide their login details, giving the attacker the opportunity to siphon off their access credentials.
- HTTPS spoofing
A general rule of thumb for knowing if a website is genuine is if it has a green lock symbol next to it and begins with ‘https://’ instead of simply ‘http://’.
The extra ‘s’ stands for ‘secure’, indicating that the connection between you and the server has been encrypted and therefore can’t be hijacked.
Unfortunately, attackers have developed a way around this. They create their own website that looks identical to the one you’re trying to reach but with a slightly different URL.
For example, a lowercase ‘l’ might become an uppercase ‘I’, or the domain will use letters from the Cyrillic alphabet.
When victims try to reach the legitimate site, the attacker will redirect them to their own site, where they can siphon off information.
Attackers generally do this to steal login credentials for email and website accounts, which they can use to launch targeted attacks like phishing emails. But if the attacker is lucky, the victim will unwittingly visit their online bank portal and hand over their account information.
- Email hijacking
Cyber criminals often target emails between banks and customers with the intention of spoofing the bank’s email address and sending their own instructions. This is a ruse to get the victim to provide their login credentials and payment card details.
- Wi-Fi eavesdropping
Instead of exploiting a vulnerability in an existing Wi-Fi connection, attackers might set up their own Internet hotspot and give it an inconspicuous name – such as ‘Café Wi-Fi’.
All they must do is wait for a victim to connect, at which point they can eavesdrop on their Internet activity.
How to prevent man-in-the-middle attacks
The threat of MITM attacks might make you reluctant to use public Wi-Fi.
That’s not the worst advice in the world – at least if you intend on doing anything that could expose sensitive information, such as logging in to your work email account or online bank account.
In these circumstances, it would be preferable to use your mobile data. If you still want to use your laptop, you can use your phone as a wireless hotspot.
However, you must apply appropriate security controls when doing this so that only you can connect to the network.
If mobile data isn’t an option, here are some other steps you can take to protect yourself while using public Wi-Fi:
- Use a VPN
There are many cyber security benefits of using a VPN (virtual private network), such as the fact that it masks your IP address by bouncing it through a private server.
VPNs also encrypt the data as it’s being transmitted over the Internet. This doesn’t make you impenetrable to MITM attacks, but it makes life much harder for crooks and will likely cause them to look for an easier target.
- Only visit HTTPS websites
As with VPNs, HTTPS websites encrypt data and prevent attackers from intercepting communications.
Although it’s possible for criminals to circumvent these protections with HTTPS spoofing or SSL stripping, you can thwart their attempts with a bit of legwork.
For example, you can avoid HTTPS spoofing by manually typing the web address instead of relying on links.
Likewise, you can detect SSL stripping by checking that the web address indeed begins with ‘https://’ or has a lock symbol indicating that it’s secure.
The MITM attacker can redirect you from a secure site to an insecure one, but it will be clear that this has happened if you check the address bar.
- Watch out for phishing scams
Attackers may use HTTPS spoofing or email hijacking to craft tailored phishing emails.
When done right – such as a phoney invoice or a bogus email from your bank asking you to log in to your account – these scams are more lucrative than simply gathering sensitive information and selling it on the dark web.
The good news is that if you can recognise the signs of a phishing scam, you can protect yourself from whatever techniques attackers use.
It’s a skill that is becoming increasingly important as the end of lockdown approaches.
Remote employees may be inclined to work from cafes or other public locations, which could expose the organisations’ sensitive data to MITM attackers.
There’s also the renewed threat of employees working on the go – whether that’s on their commute, if they need to travel for business or if they’re checking their emails during out-of-office hours.
To combat this threat, organisations must train their staff on the threat of phishing.
You can find out how to do this with the help of our Phishing Staff Awareness Training Programme.
With this training course, you’ll learn how phishing attacks work, the tactics that cyber criminals use and what you should do if you’re targeted.
The course content is updated each quarter with current examples of phishing scams and tactics to help reinforce staff awareness of the threats they face.
You’ll also receive a free monthly staff awareness newsletter containing tips on phishing scams, including current industry news.
A version of this blog was originally published on 17 February 2020.